During my analysis of Easy Anti-Cheat’s (EAC) driver detection, I uncovered a significant logic flaw in how the system identifies the Interception framework which is a common tool used by input-based cheats for aimbots and recoil compensation.
The vulnerability stems from a reliance on static filename verification rather than signature or interface checks.
The Logic Flaw#
After analyzing the launch sequence, I noted that EAC was specifically querying for two driver names:
keyboard.sysmouse.sys
By testing the driver’s response, I realized that as long as these filenames existed and were linked to a module path, EAC considered its check complete. However, the system failed to verify the content, hash, or digital signature of these specific files.
The Bypass (Renaming)#
The bypass was shockingly simple:
- Rename
keyboard.sys->kbsys.sys - Rename
mouse.sys->msys.sys - Launch the game.
Because the static filename check failed to find the target strings, the Interception drivers remained fully functional in the kernel. EAC did not issue a warning or unload the modules, allowing input-based cheats to slide right past the detection layer.
Analysis & Recommendation#
This represents a surface-level “lazy check” that prioritizes system performance over deep integrity. In my report to the Epic team, I recommended a runtime check for the actual interception interfaces using CreateFileA to probe for \\.\interception00. This is far more resilient than checking strings on a disk.
Status: This vulnerability was responsibly disclosed to Epic Games and has since been patched.